United States: Opportunities in Account Aggregation

The 500,000 to 1 million users of account aggregation services today could reach 7 million in two years and between 50 and 90 million by 2005. Consumers interested in account aggregation are exactly the customers that financial institutions target – they are younger, wealthier and more web-savvy than their disinterested counterparts.

Recent advances in technology and growing consumer acceptance of the Internet have popularized account aggregation. As more consumers register for the service, traditional financial service providers are struggling to determine where aggregation leaves them. Initially, financial institutions tried to obstruct data aggregation activity, even suing aggregators to prevent so-called screen scraping, citing concerns about security and liability.

In less than a year, the antagonism of financial institutions has mellowed to competition and in some cases, cooperation. Citigroup's MyCiti aggregation site uses Yodlee technology, for example.

Banks and brokerages were the first financial institutions to recognize the advantages of working with aggregators. Mortgage bankers, repositories of vital financial information, and a trusted source for most of their customers, might take their cues from other financial institutions that have teamed with aggregators for mutual benefit.

Aggregation is the process of collecting a consumer's information, reformatting it and presenting it to the consumer. The information is usually collected from banks, credit card issuers, brokerages, utility companies and insurance companies (called "account holders" in this article), but can also be collected from other websites, like airlines' frequent flyer sites, and news and weather sources. Aggregators typically provide a hyperlink to the website of each of the customer's account holders.

Aggregators gather information by accessing a website with a consumer's login name and password, using a direct feed or by screen scraping. A direct feed is used if there is an agreement between the account holder and the aggregator allowing direct transmission of account data to the aggregator. Screen scraping, on the other hand, takes place without the account holder's knowledge. The screen scraping aggregator logs into an account holder's website using a consumer's login name and password; when the information is displayed, the aggregator can copy the account balances directly from the screen. The data can be reformatted and presented to the consumer on the aggregator's website.

Currently, aggregators do not offer the ability to perform transactions through the consumer's summary screen. However, this may change as aggregators develop dynamic sites. With dynamic sites, more varied transactions become possible, including moving money among accounts, paying bills and investing online.

It has been speculated that aggregators may eventually automate the entire process of financial decisionmaking, automatically moving assets into and out of investments for the best financial return. This potential challenges the secure position many financial institutions have with their customers and opens up opportunities for others. Some of these opportunities may go to forward-looking mortgage bankers.

Several factors contribute to the popularity of account aggregation, including the huge appeal of convenience. Instead of logging on to multiple websites, consumers can check account information, email and news at a single site with a single password. Aggregator sites can provide access to hundreds of other sites. Consumers may also be able to access an aggregator's website from a cell phone or PDA and gain access to their finances 24/7 from anywhere.

The popularity of Internet portals has also promoted aggregation, as many of the most important portal sites have partnered with aggregators to bring to their visitors services they cannot offer alone.

For consumers, aggregation has the advantage of offering electronic bill presentment and payment ("EBPP"). This feature may be a boon to online banking which has been slow to catch on. Estimates of the number of households that will pay bills electronically in the next decade are as high as 70%. The ability to pay bills online is the number one request of some consumers. For financial institutions too, aggregation has advantages. A study of First Union's customers revealed that those who bank online are nearly three times as profitable as other customers.

Aggregation is controversial because it is novel and challenges traditional relationships between financial institutions and their customers. Octavio Marenzi of Celent Communications in Cambridge, Massachusetts was quoted as saying "knowing where customers keep their assets is the Holy Grail for financial institutions." Traditional providers of financial account information fear their connection to their customers will be diminished or made redundant by aggregators, and they worry about the loss of cross-selling opportunities. If the customer visits only the aggregator's website and bypasses the account holder's website, the account holder's website traffic will diminish, making the sale of advertising harder.

The business concerns facing both account holders and aggregators exist in an environment where questions of reliability, trust, and privacy have not been fully explored or resolved, and the uncertain applicability of a variety of laws creates an unpredictable future. Some of the questions at the heart of the debate are as follows:

Questions of Knowledge: Should financial institutions be notified that customer information has been scraped from their websites? How can audit trails be established to differentiate between real customer visits and screen scrapers?

If the aggregator has no agreement to obtain information from an account holder's web site, the account holder will be unaware that someone other than a consumer is logging into its website. The aggregator can enter the account holder's site simply using the customer's login name and PIN. A customer that has provided his login name and PIN to an aggregator may bear the risk of mistake or fraud in transactions that arise from the account aggregation, because it will be difficult to prove the aggregator's activity was unauthorized. The first bank to try to distinguish aggregators from consumer visits to its website, First Union, established requirements for aggregators in December 1999. These requirements included: disclosures to customers, review and approval of access technology, differentiation between an aggregator entering its system and a "real" customer, and third party security audits. First Union attempted to impose audit trail obligations on aggregators unilaterally; more recently, some aggregators have voluntarily agreed to audit trails for their visits.

Questions of Access and Accuracy: Can financial institutions' systems stand up to large scale screen scraping? Who should bear the cost of system risk, and who is responsible for the accuracy of the information scraped?

When an aggregator logs into a site, it can collect information on hundreds of customers. This activity could tie up the account holder's system, making it unavailable for "real" customers. Large-scale screen scraping could make an account holder's system unstable or contribute to increased system upgrade and service costs for the account holder. Account holders also alter the appearance of their websites, either to appeal to customers or to deter screen scraping. The scraped information may be less reliable when the account holder's website is frequently changed. Even if a customer uses an aggregation service, if he has questions on a financial account, he is likely to contact the financial institution first for resolution. These customer service demands will also create increased costs for account holder.

Questions of Security: How can aggregators ensure the integrity of their security systems and procedures? Who is responsible to consumers if security is breached?

Aggregators have been working hard to convince financial institutions and consumers that their systems are safe and secure. Best practices for aggregators have emerged, which include third party audits, identification and authentication systems, access control procedures, and incident detection procedures. Despite these procedures, it is impossible to guarantee absolute security of information, and widespread use of aggregation systems may make it difficult to tell where information security breaches originate. Both financial institutions and aggregators should expect to absorb some of the costs of security violations. Aggregators can insure themselves against loss through ordinary business insurance policies and insurance especially designed for web-based activities, but access to the financial accounts of hundreds of thousands or millions of customers could lead to risks exceeding available insurance coverage.

Questions of Competition: Whose customers are they, anyway?

The rapid growth of the aggregation industry has left industry, lawmakers, regulators and customers wondering what laws apply. Because it is based on relatively new technology, account aggregation does not fit comfortably within any existing regulatory scheme. Some of the laws potentially applicable to it are discussed below.

The privacy provisions of the Gramm-Leach-Bliley Act ("GLB") limit financial institutions from sharing customer nonpublic personal financial information with nonaffiliated parties. The Federal Trade Commission ("FTC") has stated unambiguously that the GLB privacy requirements apply to aggregators. Because many aggregators are not accustomed to thinking of themselves as financial institutions, they may be unaware that these privacy rules apply to them, and may unwittingly fail to comply.

The Electronic Fund Transfer Act ("EFTA") applies to transfers of funds by financial institutions that are initiated electronically. Whether it could also apply to the activities of aggregators will be decided by the Board of Governors of the Federal Reserve System ("FRB").

The EFTA subjects financial institutions, even those that are not account holders, to certain disclosure, record keeping and error resolution requirements, and regulates the issuance of access devices and periodic statements. Because of the many ways in which aggregators may operate in the future, the FRB could determine that some aggregators should be regulated as financial institutions under the EFTA.

The FRB requested comments from industry on how aggregation services operate or plan to operate; it also asked industry to comment on the consequences of a determination that aggregators are financial institutions under the EFTA. When the comment period closed on August 31, 2000, the FRB had received only six letters addressing this issue. Only one industry participant (Intuit, Inc.) submitted a comment letter.

States presently license a wider array of financial service providers than does the federal government. Thus, regulatory scrutiny and licensing schemes for account aggregators are more likely to be proposed at the state level than at the federal level, particularly if consumer complaints crop up. Existing state laws do not presently require licensing for account aggregators, but in part this may be because some of the state regulators are unaware of this type of financial service, or uncertain how aggregation services are provided. Other financial service providers are subject to state licensing in connection with activities not very dissimilar from account aggregation.

For example, several states regulate companies engaged in money transmission. Money transmitters, at their most basic, receive money from one party to pay to another party. Aggregators, including those that offer electronic bill payment services, are distinguishable from money transmitters because they do not receive funds. Rather, they receive instructions from a customer and then instruct the customer's bank to transfer funds. Money transmitter laws were drafted prior to the explosion of Internet commerce, so lawmakers have not considered the implications of having an Internet based intermediary ordering financial transactions for customers. Aggregation providers have the ability to make traditional money transmitters obsolete, and states may not allow a regulated industry to be displaced by an unregulated one.

Even absent new laws, some states could interpret current laws to include those who receive payment instructions that result in the transmission of money, and not just those who actually receive money. Should this occur, aggregators may find themselves subject to licensing schemes that include license fees, background investigations, surety bonds, minimum net worth requirements, annual record keeping and reporting requirements, periodic examinations by state regulators, fee limitations, and criminal and civil penalties for noncompliance.

Another possibility is that new legislation may be proposed to cover aggregators. The Uniform Money Services Act ("UMSA") was approved by the National Conference of Commissioners on Uniform State Laws at its August 2000 meeting, and recommended for enactment by the states. Although the UMSA was not drafted to cover account aggregation, the primary objectives of the UMSA are to address issues of safety and soundness with respect to money services businesses and to deter money laundering and other illegal activities, issues that are also important in the aggregation industry. States could, therefore, choose to include aggregation services in any enacted version of the UMSA. Here, too, the result could be licensing, security, net worth, examination, and reporting and record keeping requirements.

State attempts to regulate aggregators, as discussed above, may trigger federal regulation. For example, the Bank Secrecy Act ("BSA"), not currently applicable to aggregators, applies to licensed senders of money. If applied to aggregators, state money transmitter laws could subject aggregators to the record keeping and reporting requirements of the BSA, as well as require them to report suspicious activity. Alternatively, if the Secretary of the Treasury determines that aggregators should be covered by the BSA because their activities have become sufficiently similar to (or a substitute for) those of covered entities, that determination could trigger applicability of state licensing regulations as aggregators might then fit within the definition of financial institutions under state money transmitter laws.

Aggregation services are catching on. Customers using these new services are opting for convenience over prior relationships with traditional financial service providers. One of the most significant impediments to even wider adoption of aggregation services is the question of trust and reliability. Financial institutions, particularly banks, have long relied on their reputation for trustworthiness and security to retain customers. Some of these financial institutions are now opting to roll out their own account aggregation services to compete with services offered by non-financial intermediaries.

Mortgage companies, particularly those with significant servicing business, would appear to be natural source of account aggregation services. Mortgagors have monthly (and in some cases, more frequent) transactions with their lender/servicers, which may coincide naturally with the frequency of mortgagors' other bill payments. Adopters of account aggregation services are amenable to "one stop" shopping, or at least to minimizing visits to financial service websites for bill paying. Mortgage companies might therefore have an especially appealing opportunity to cross market non-mortgage services and products to their customers if they sponsor the aggregation site. The relationship of a mortgage lender with a mortgagor is typically a long one – about five to seven years. And many national mortgage companies have the name and brand recognition necessary to earn the trust of the customer.

Other possibilities also make entry of the mortgage industry into aggregation enticing. It is expected by some that the software and technology of account aggregation could lead to automated financial decision making. If so, an account aggregation service offered by a mortgage company could help the mortgagor with financial planning, early payoff of a mortgage, determine when to refinance a mortgage, and the like. Dynamic mortgage-lender sponsored aggregation services could help borrowers avoid late charges on their payments by scheduling payments to coincide with due dates and direct deposits, allow homeowners to take advantage of early payment discounts for real property taxes, and provide other creative financial and money-saving functionalities.

As a mortgage payment is often the largest monthly obligation of a borrower, the mortgage lender's knowledge of, and ability to effect transactions in the mortgagor's account could be the next big thing on the ever-changing landscape of mortgage lending and e-commerce.

About The Authors: Andrea Lee Negroni is a partner and Patricia S. Mugavero is an associate in the Washington, DC office of Goodwin, Procter & Hoar, LLP, in its Financial Services Group. Goodwin Procter is a full service law firm specializing in the representations of financial institutions and online providers of financial services, and is counsel to the Electronic Financial Services Council.